References
1. Expanding the scope of the VPN to include additional machines on either the client or server subnet.
2. Accessing LAN resources when OpenVPN is not LAN’s GW
3. Lans behind OpenVPN
4. NAT-hack
OpenVPN configuration should be set properly before setting routing.
For Windows
1. Ip Forwarding. (equivalant to ‘net.ipv4.ip_forward = 1’ on linux box)
In regedit, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Change IpEnableRouter to 1.
PS C:\Windows\system32> Set-ItemProperty HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1 PS C:\Windows\system32> Get-ItemProperty HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter IPEnableRouter : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry PS C:\Windows\system32>
2. Ip Masquerading. (equivalnt to ‘iptables MASQUERADE’ on linux box)
2-A. Use Powershell cmdlet New-NetNAT.
PS C:\Windows\system32> Get-NetIPAddress | Where-Object {$_.InterfaceAlias -Eq "OpenVPN TAP-Windows6" -And $_.AddressFamily -Eq "IPv4" }
IPAddress : 10.7.0.20
InterfaceIndex : 9
InterfaceAlias : OpenVPN TAP-Windows6
AddressFamily : IPv4
Type : Unicast
PrefixLength : 24
PrefixOrigin : Dhcp
SuffixOrigin : Dhcp
AddressState : Preferred
ValidLifetime : 364.06:00:02
PreferredLifetime : 364.06:00:02
SkipAsSource : False
PolicyStore : ActiveStore
PS C:\Windows\system32> New-NetNAT -Name MYVPNNAT -InternalIPInterfaceAddressPrefix 10.7.0.20/24
2-B. Use Internet Connect Share (ICS)
Edit HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters
Change ScopeAddress and ScopeAddressBackup to OpenVPN ip, then turn on ICS.
PS C:\Windows\system32> Set-ItemProperty HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters -Name ScopeAddress -Value "10.7.0.20" PS C:\Windows\system32> Set-ItemProperty HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters -Name ScopeAddressBackup -Value "10.7.0.20" PS C:\Windows\system32> Get-ItemProperty HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters -Name ScopeAddress ScopeAddress : 10.7.0.20 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry PS C:\Windows\system32> Get-ItemProperty HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters -Name ScopeAddressBackup ScopeAddressBackup : 10.7.0.20 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry PS C:\Windows\system32>
After reboot the computer, ICS doesn’t work properly.
Windows 10 Internet Connection Sharing(ICS) Reboot Fix
Or after reboot, re-activate ICS manually or automatically.
Or use Powershell method instead.